PBF
Policy-Based Forwarding Policies *Puts specific applications or specific traffic on a separate interface for more security/performance. *Directs traffic based on sounce zone, source address, source user, destination address, destination application, and destination service. *Symmetric Routing. The Originating and returning traffic must use the same path, otherwise it will fail. *Can be used to override the routing table *ISP load balancing is used when more than one internet provider is connected to the firewall. Policy Based Forwarding is used to forward traffic based on the source subnet. Normally when traffic enters the firewall, the ingress interface virtual router dictates the route that determines the outgoing interface and destination security zone based on destination IP address. With PBF you can specify other information to determine the outgoing interface. Important Notes: ' *Initial session will not use PBF rule during that session - even after app ID is determined *All packets of a session must follow the same path to ensure session state is tracked. *PBF rule will be applied IF these criterias match (App ID cache): **Destination IP **IP protocol **Destination Port Example of when to use PBF: The public internet is used for most traffic going to and from a branch office. But some applications that aren't encrypted like FTP may carry sensitive information. In this case, you might install a private leased line between the branch office and headquarters. But rather than putting all traffic on the more expensive leased line, you can purchase a lower throughput leased line and only use it for certain applications like FTP. Example of when to use PBF: You have 2 connections to a branch office, 1 cheapter internet connection and 1 more expensive leased line. The leased line has better availability and predictable latency. So you can put critical business applications (such as traffic going to financial servers) to the lease line and less critical applications such as web browsing on the Internet connection. 'Symmetric Routing: The originating and the returning traffic must use the same path. If the paths are different, then any firewall in the path that sees only traffic from one direction won't be able to track the state of the entire session and the traffic will fail. Example of the traffic if it's on 2 different paths: SYN arrived for a new session on ISP-A but because the PBF policy for the firewall didn't align with the interface the traffic arrived on, the corresponding SYN/ACK was routed towards ISP-B. But the firewall tracks state based on zone pairs. The SYN is associated with the Trust-Untrust-A zone pair but the SYN/ACK is associated with the Trust-Untrust-B pair. Because there is no initial SYN for the session assocated with the Trust-Untrust-B, the SYN/ACK fails and the session cannot initiate. 'Service vs Application': A''' Service''' object relies on TCP or UDP ports only. *So a PBF rule that uses a Service for routing decisions can be applied to all sessions, including the very first one for a given source/destination pair as seen by the firewall. *PBF is applied on the first packet or the first response to the first packet. Downside: An application using a non-standard port might be incorrectly routed. *EX: PBF rule that specifies service-http will apply to SSH traffic if SSH was reconfigured to use TCP 80 instead of TCP 22. PAN adds Application selection to PBF to perform "app ID caching". App ID Cache: ' * The first time an application passes through the firewall, the firewall is not aware of what the applications is initially and the PBF rule is NOT applied. As more packets arrive, the PAN is able to determine the application and it creates an entry in the app ID cache. *The next time a new session is created with the same IP source, IP destination, and destination port, the PAN assumes it is the same application as the inital session (based on the app ID cache) and will then apply the PBF rule. Policies -> Policy Based Forwarding 'PBF Commands To verify the configured PBF rules and the monitor state (if applicable): : > show pbf rule all View the session ID to see the PBF rule applied: : > show session id <#####> Tech doc how to configure ISP redundancy and Load balancing: *https://live.paloaltonetworks.com/docs/DOC-3579 Dual ISP Branch Office Configuration (3.1.1) Redundant-internet: *https://live.paloaltonetworks.com/docs/DOC-1357 *multiple external zones no longer required. :